Impact
Conjur Roles defined in a subsequently deleted policy branch may retain access to secrets
Patches
Upgrade to Conjur OSS 1.21.0.1 or later
Once you have upgraded Conjur Open Source to version 1.21.0.1, you can run provided Rake tasks to determine if you are affected and to clean up any orphaned roles present. To run either of these commands, you must be in a shell inside your Conjur container.
To determine if any orphaned roles are present, run:
rake db:preview-orphaned
This will list any orphaned roles present in your database. Review this list. If there are any roles which you wish to retain, see the “How do I keep some of the orphaned roles detected?” section below.
To remove all orphaned roles, run:
rake db:remove-orphaned
This will immediately delete any orphaned roles present in your database. Once they have been deleted, they will no longer be able to authenticate to the system. There is no undo functionality provided for this command. If you remove a role you still need, you will have to restore your Conjur instance from backup or create new policy branches to redefine the role(s).
How do I keep some of the orphaned roles detected?
If running one of the above preview commands reveals that a role that you are using is considered orphaned, you will lose access to this role if you run the tasks to clean up the orphans. If you are using one or more of the orphans, your options are to either stop using the role or to load new policy that defines that role again. Newly defining the role in a policy branch will retain the role’s permissions and API key and prevent the orphaned roles cleanup tasks from removing this role. We recommend re-running the preview commands after loading this new policy to confirm that the roles you wish to preserve no longer appear in the list of roles to remove.
Workarounds
There are no workarounds for this issue
Impact
Conjur Roles defined in a subsequently deleted policy branch may retain access to secrets
Patches
Upgrade to Conjur OSS 1.21.0.1 or later
Once you have upgraded Conjur Open Source to version 1.21.0.1, you can run provided Rake tasks to determine if you are affected and to clean up any orphaned roles present. To run either of these commands, you must be in a shell inside your Conjur container.
To determine if any orphaned roles are present, run:
rake db:preview-orphaned
This will list any orphaned roles present in your database. Review this list. If there are any roles which you wish to retain, see the “How do I keep some of the orphaned roles detected?” section below.
To remove all orphaned roles, run:
rake db:remove-orphaned
This will immediately delete any orphaned roles present in your database. Once they have been deleted, they will no longer be able to authenticate to the system. There is no undo functionality provided for this command. If you remove a role you still need, you will have to restore your Conjur instance from backup or create new policy branches to redefine the role(s).
How do I keep some of the orphaned roles detected?
If running one of the above preview commands reveals that a role that you are using is considered orphaned, you will lose access to this role if you run the tasks to clean up the orphans. If you are using one or more of the orphans, your options are to either stop using the role or to load new policy that defines that role again. Newly defining the role in a policy branch will retain the role’s permissions and API key and prevent the orphaned roles cleanup tasks from removing this role. We recommend re-running the preview commands after loading this new policy to confirm that the roles you wish to preserve no longer appear in the list of roles to remove.
Workarounds
There are no workarounds for this issue